# SIEM Supported Fields

This document shows the fields supported by each provider and operation.

- [query_events](#query_events)


## query_events

| Field | CrowdStrike Next-Gen SIEM | Google Security Operations | Google Security Operations (Chronicle Compatibility) | IBM QRadar SIEM | Microsoft Sentinel | Splunk Enterprise Security | Sumo Logic Cloud SIEM | Type |
|  --- | --- | --- | --- | --- | --- | --- | --- | --- |
| ActingAppId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActingProcessId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActorUserId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActorUserIdType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActorUserType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActorUsername | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ActorUsernameType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.cloud_provider | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.cloud_region | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.compliance_control | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.compliance_requirements | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.compliance_standards | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.compliance_status | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.finding_info_related_events[].type_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.finding_info_related_events[].uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.malware[].classification_ids | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| AdditionalFields.malware[].name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.malware[].path | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.observables[].name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.observables[].type | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.observables[].type_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.observables[].value | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.ocsf_activity_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.ocsf_activity_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.ocsf_category_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| AdditionalFields.ocsf_category_uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.ocsf_class_uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.ocsf_status_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.ocsf_target_user_email | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.ocsf_timezone_offset | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.ocsf_type_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.ocsf_type_uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AdditionalFields.resources[].labels[] | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.resources[].name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.resources[].type | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.resources[].uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AdditionalFields.timezone_offset | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| AlertDescription | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AlertId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AlertName | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AlertOriginalStatus | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AlertStatus | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AlertVerdict | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Application | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AttackRemediationSteps | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AttackTactics | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| AttackTechniques | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DetectionMethod | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Dst | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Dvc | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcFQDN | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcHostname | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcIdType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcIpAddr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcMacAddr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcOs | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcOsVersion | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| DvcZone | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventCount | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| EventEndTime | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventMessage | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventOriginalResultDetails | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventOriginalSeverity | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventOriginalSubType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventOriginalType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventProduct | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventProductVersion | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventResult | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventSchema | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventSchemaVersion | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventSeverity | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventStartTime | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventSubType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventUid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| EventVendor | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Hostname | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| IndicatorAssociation | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| IndicatorType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| IpAddr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| LogonProtocol | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Object | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ObjectType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ProcessId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Rule | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| RuleDescription | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| RuleName | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| RuleNumber | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| Src | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcDescription | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcDeviceType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcFQDN | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcHostname | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcIpAddr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| SrcPortNumber | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| Target | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetAppName | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetAppType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetDescription | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetDeviceType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetDvcId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetDvcIdType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetDvcOs | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetFQDN | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetHostname | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetIpAddr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetOriginalUserType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetPortNumber | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| TargetUserId | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetUserIdType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetUserType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetUsername | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| TargetUsernameType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatCategory | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatConfidence | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| ThreatFirstReportedTime | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatIsActive | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | boolean |
| ThreatName | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatOriginalCategory | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatOriginalConfidence | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatOriginalRiskLevel | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| ThreatRiskLevel | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| TimeGenerated | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| User | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| UserType | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| action_id | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| actor.app_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.idp.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| actor.process.pid | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| actor.user.email_addr | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.full_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.name | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| actor.user.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| actor.user.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| api.operation | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| auth_factors[].factor_type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| auth_factors[].factor_type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| auth_factors[].unmapped_mechanism | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| auth_protocol | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| auth_protocol_id | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| cloud.provider | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| cloud.region | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| count | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| device.domain | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.ip | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.last_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.location.description | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.mac | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.os.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.os.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.os.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| device.owner.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| device.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.type_id | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| device.unmapped_noun_process_if_device.file.fullPath | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| disposition | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| disposition_id | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | number |
| dst_endpoint.domain | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| dst_endpoint.hostname | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.ip | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.location.description | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.mac | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.os.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.owner.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| dst_endpoint.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.svc_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| duration | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| end_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| finding_info.title | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| http_request.url.port | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| intermediaries[].hostname | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| is_remote | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | boolean |
| job.file.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| job.file.type_id | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| job.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.file.path | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.name | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| logon_process.pid | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_type | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| logon_type_id | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | number |
| message | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.correlation_uid | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.event_code | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | mixed |
| metadata.labels[] | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.log_name | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.log_provider | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.log_version | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.processed_time | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | timestamp |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.tenant_uid | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| metadata.uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| observer.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.cmd_line | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.file.path | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| resource.labels[] | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| resource.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| resource.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| risk_level | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| risk_level_id | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| service.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| session.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| severity | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| severity_id | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| src_endpoint.domain | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.hostname | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.ip | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.mac | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| src_endpoint.name | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.os.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.os.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.os.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| src_endpoint.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| src_endpoint.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| src_endpoint.port | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| start_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| status | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| status_id | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | number |
| system.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| system.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| user.account.name | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| user.domain | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| user.full_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| user.name | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| user.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| user.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| user.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |